Research Project
description
Transcript of Research Project
9/23/2004 SIS/chow 1
Research Project
Techniques and Tools for Supporting Secure Information Sharing and
Collaborative Work
C. Edward Chow, PIGanesh Godavari, GRA
Department of Computer ScienceUniversity of Colorado at Colorado Springs
Sponsored by NISSC - AFSOR
9/23/2004 SIS/chow 2
USNORTHCOM Research Question Addressed
9/23/2004 SIS/chow 3
Research Focus and Purpose
Research Focus: Investigate Critical Techniques and Tools for Supporting Secure Information Sharing (SIS) and Collaborative Work
Tasks:• Investigate efficient key and attributed certificate
management for large-scale information sharing and collaborative workeasier/faster to share.
• Study Infrastructure support for secure web-based collaborative applicationsfast to setup, reliable, secure
• Research ubiquitous computing for sharing sensor and web informationaccess/distribute info anywhere, anytime, anyway
9/23/2004 SIS/chow 4
Schedule Update
• Follow the same schedule.
9/23/2004 SIS/chow 5
Current Project Status: Task 1
Investigate efficient key and attributed certificate management for large-scale information sharing and collaborative work
• Studied issues in large scale web-based secure access control using Public Key Infrastructure (PKI) and Privilege Management Infrastructure (PMI).
• Developed a concept prototype that demonstrate secure web access control with enhanced LDAP and Apache web servers.
• Working on distributed directory server systems for supporting information sharing among multiple agencies
9/23/2004 SIS/chow 6
Current Project Status: Task 2
Study Infrastructure support for secure web-based collaborative applications
• Explored the use of Content Delivery Network (CDN) Infrastructure to support secure web-based collaborative applications.
• Idea Utilize existing CDN such as Akamai; extend existing web document caching functions to soft real-time collaborative applications (IM).
• Investigating the solutions for resolving security issues between Java applets and cache servers.
9/23/2004 SIS/chow 7
Current Project Status: Task 3
Research ubiquitous computing for sharing sensor and web information
• Keeping track of current sensor network and ubiquitous computing literature.
• Investigated new MicaZ sensor based on new 802.15.4 standard.
• Plan to focus on this task Spring 2005.
9/23/2004 SIS/chow 8
Current Funding Status
• Paid for one faculty summer month salary.
• Paid for two GRA summer month salary.
• Paid for a Sony VGN-A170B notebook.
9/23/2004 SIS/chow 9
Anticipated Results
• Identify issues and present solutions for creating and managing a large scale secure web-based information sharing system among multiple independent agencies Sharing results through publications.
• Design prototypes for demonstrating the key concepts from the above research Sharing software developed in this project by posting on CS and NISSC web sites.
9/23/2004 SIS/chow 10
Preliminary Findings
• Attribute certificate (RFC 328) based Privilege Management Infrastructure (PMI) make it easy to implement the secure role based access control in large scale SIS.
• Web Servers can be enhanced with LDAP module to allow role-based access control.
• LDAP can be extended to include attributed certificates.
• LDAP can function as a central place for creating and managing the roles of users.
9/23/2004 SIS/chow 11
Privilege Management Infrastructure (PMI)
• Privilege Management Infrastructure– Similar to Public
Key Infrastructure– Function is to
specify the policy for the attribute certificate issuance and management
Concept PKI entity PMI entity
Certificate Public Key Certificate (PKC)
Attribute Certificate (AC)
Certificate issuer
CertificationAuthority (CA)
Attribute Authority (AA)
Certificate user Subject Holder
Certificatebinding
Subject’s Name to Public Key
Holder’s Name to Privilege Attribute(s)
Revocation CertificateRevocation List(CRL)
Attribute CertificateRevocation List
(ACRL)
Root of trust Root CA or TrustAnchor
Source of Authority (SOA)
SubordinateAuthority
SubordinateCertificationAuthority
Attribute Authority (AA)
Comparison of PKIs and PMIs [2]
9/23/2004 SIS/chow 12
PKC vs. AC
PKC binds a subject (DN) to a public keyAC's binds permission (attributes) to an entity
9/23/2004 SIS/chow 13
Unanticipated Results
• Single LDAP is easy to configure. • Ganesh had a tough time to extend LDAP to
include attribute certificates to work with the current stable version of openldap 2.2-15. We use an older version 2.0.27-8 instead.
• Octetstringmatch does not work in new version and the suggestions of Dr. Chadwick of Permis Group for adding new object ID type was not accepted by openldap group (wait for standard?).
• But it is really a pain to configure a set of LDAP server for cooperation (delegation/trust).
9/23/2004 SIS/chow 14
Unanticipated Results Performance Results on a single agency scenario
Total timetaken for
LDAPaccess (ms)
Total Time taken forAttribute certificateretrieval and validation
(ms)
1 13.871 43.850001
2 13.778 43.734001
3 13.912 43.720021
Avg. 13.853667 43.76800767
9/23/2004 SIS/chow 15
Issues and Challenges
• Automated tools for setting up SIS infrastructure with LDAP/Web servers/clients from multiple agencies.
• Further Investigation on Federated Identity, RBAC policy and Security Assertion Markup Language (SAML)
• Study policy-based systems and policy enforcing mechanisms, e.g., Michigan’s Antigone.
• It is difficult to set up secure information sharing prototype without a real CA. Need tools to speed up the creation of certificates and the installation of fake CA certificates on every client/server.
9/23/2004 SIS/chow 16
Needed Assistance
• Large scale multiple agencies field trials to obtain real benchmarking results.
• Help obtain samples of policies used in agencies, in terms of– Data sent over non-secure channels (such as
Internet, wireless access)– Account creation– Certificate issuing
9/23/2004 SIS/chow 17
Expectations Moving Forward
• Explore issues in supporting large scale notification systems.
• Potential new funding…(DHS,DoD,NSF)
• Submit results to conferences IDCS/USENIX.
9/23/2004 SIS/chow 18
alpha-sis-connecticut
Internet Internet
Internet
Web Server
LDAP Server
sis-nissc.csnet.uccs.edu
LDAP Server
sis-connecticut.csnet.uccs.edu
Internet
alpha-sis-nissc
PKC
LDAP Server
sis-canada.csnet.uccs.edu
LDAP Server
sis-newjersy.csnet.uccs.edu
SIS Testbed
9/23/2004 SIS/chow 19
Directory Information Tree for sis-canada
ou=coordinationExcercise
dc=sis-canada, dc=edu
ou=Research
alpha-sis-canada
epsilon-sis-canada
Similar DIT is for all the servers
9/23/2004 SIS/chow 20
Demo• alpha-sis-nissc access information from sis-
connecticut.csnet.uccs.edu (level1 directory requires level1 manager role, which alpha is)– https://sis-connecticut.csnet.uccs.edu/level1/review.txt– https://sis-connecticut.csnet.uccs.edu/level1/upload.html
• beta-sis-connecticut access information from sis-nissc.csnet.uccs.edu and sis-canada.csnet.uccs.edu (level2 directory requires level2 asstmanager role, which beta is)– https://sis-nissc.csnet.uccs.edu/level2/review.txt– https://sis-canada.csnet.uccs.edu/level2/review.txt
• epsilon-sis-newjersey access information from sis-newjersey.csnet.uccs.edu (level3 directory requires level3 submanager role, which epsilon is)– https://sis-newjersey.csnet.uccs.edu/level3/review.txt